1

Topic: Concerning Keyboards

In the past, I have not given keyboards much thought, but recently I had one fail.  That started me looking for a replacement, but then I realize there are many kinds of keyboards now days that differ at various levels in the hardware, firmware and software, not to mention cost.  So looking for some advice and more experienced input on what is the good, bad and ugly in the keyboard arena.  Especially in terms of hardware and software that respects the freedom and privacy of the user.

The keyboard that I am currently trying to replace is for a desktop, but I suppose the same questions may apply to laptop keyboards.  The aspect that particularly concerns me, and which I think I lack some understanding is the difference between older systems that use PS2 and newer systems that use USB.  Is there any kind of security risk with USB keyboards?  How would I know if the firmware in such a keyboard is one that can be trusted?  Is it better or safer to use a PS2 keyboard?  Is there any difference between PS2 and USB in the operating system?  I am guessing that in Hyperbola I am using only free drivers for a keyboard device, so does that make me safer against potentially getting exposed to a malicious firmware?

Also with many of the USB keyboards, especially the gaming keyboards, there appears to be a set of opensource tools for programming the keyboard firmware, I am not sure if these are totally freedom respecting.  They refer to these as QMK and VIA.  QMK (quantum mechanical keyboard) is a software project that allows users to build their own firmware and load them into the keyboard.  VIA I think enables commands to be sent to the keyboard firmware, but what scares me with this is that it is meant to work through the web browser (Chrome mostly).  Good or bad?  What are the pros and cons of these tools?

In the end I like Hyperbola and the philosophy to keep the system simple to the degree where I can have understanding and control over what it does for me.  For instance when using a USB memory device, I have come to like mounting it myself just using the 'doas mount' command, that way I only connect to a device I have some knowledge about where it comes from.  I used to automount, but now I have concerns.  Though I suppose USB memory and the firmware on USB devices is a related topic, usb hard drives too.  And the firmware in any USB device I suppose could pretend to be a keyboard, so wondering a little how to gain control over preventing or minimizing those situations?  Is there anything special I should be doing to secure the keyboard connection in configuration of Hyperbola?

Maybe I don't know all the right questions to ask here.  Maybe also some questions are pretty basic and just lack of knowledge on my side, though I suspect others might have some gaps they would like filled in on too.  So definetly would be interested to hear any insights on this from the community.

2 (edited by rachad 2023-04-11 16:02:05)

Re: Concerning Keyboards

you dont have to worry 2.0 USB is safe cause it doesn't have "direct memory access" so even if your keyboard or any inputed device have some malicious firmware it wont be able to do anything, and so also there is no risk in automount i hope these few words answers ur concerns wink
this is only for 2.0 usb not 3.0 as it has "direct memory access"

3

Re: Concerning Keyboards

rachad wrote:

you dont have to worry 2.0 USB is safe cause it doesn't have "direct memory access" so even if your keyboard or any inputed device have some malicious firmware it wont be able to do anything, and so also there is no risk in automount i hope these few words answers ur concerns wink
this is only for 2.0 usb not 3.0 as it has "direct memory access"

Thanks for this advice, I was also unaware of that difference between 2.0 and 3.0 USB.  I need to think more on what that mean becasue I think I do use some USB 3 external storage devices.

But also I can see the malicious keyboard being a problem regardless of 2.0 and 3.0 USB.  If it has bad firmware, as a keyboard device it can access a terminal the same way you do, just by sending keystroke commands of its own.  You can read more about that here:

https://en.wikipedia.org/wiki/BadUSB

I am trying to think what options I might have to protect my system from this, at least to some degree.  Some possibilities I am looking at:

Just disabling USB HID devices and using PS2 connections.  At least a USB device pretending to be a keyboard would not get connected.

Or maybe writing some kind of udev rule.

In either case I know I am a bit of an amature at this, so there is a learning curve and gaps I need to fill, but seems like other people are trying some similar things like this.  Unless I am misunderstanding something here, the whole situation however is very dissapointing,  How is it that the hardware does not get implemented in a better more thought out way?

4 (edited by zapper 2023-04-13 15:33:48)

Re: Concerning Keyboards

Actually, if you want really bad malicious usb functionality, try usb 4 or newer.

Or if you want mega bad malicious functionality try bluetooth.

Bluetooth is made behind closed doors by a small group of people but it has a massive amount of issues.

What I wouldn't give to get rid of bluetooth...

From the world itself. As well as similar crap like it.

Just because the people of the world can make technology smaller and smaller regarding storage doesn't mean that everything tech wise needs to get more and more bloated.

Like the web... 

Smh...

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!